Re: Windows Event Log Data Parsing (Packet Data)

Having to add thousands of data sources, manage them all and update them would be a nightmare. WEC I can ensure that any new workstations get siem logging immediately you via croup policy. And I only have to manage a single data source. (The windows event collector server)

Re: Windows Event Log Data Parsing (Packet Data)

I haven't added PC events like you did via WEF. but i thought although you use a log aggregator, you still have to add data sources individually under the single WEF parent data source, SIEM won't add them for you, otherwise all PC events will come under the same data source?

Re: Windows Event Log Data Parsing (Packet Data)

The data looks like this becasue it is transmitted to the SIEM in MEF format. The MEF parser then explodes the data to appear as it does in your screenshot. MEF has extensions to allow for you to control the field assignment in the SIEM.

I have found using another technology such as nxlog or something similar to get the data out of the Window Event Log to be the easiest solution, and you can control the parsing.

Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.